[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL advice needed ...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

greetings,

I'm trying to configure ACL, I belive it is possible to ... but after
some attempts I doubt it is ...

please, help me to understand where I'm making the mistake/s ...

I need to manage possibility for "coadmins" group members to manage all
except the objects of "admins" group members

forgive me please my long explanation ...

so I have:

Important: the starting point in my case is auth accounts structure:

users do auth with (lets call it) "root" objects (most upper level):
uid=<USER>,ou=People,dc=abc

- ---[ accounts and groups start ]-------------------------------------------
dn: uid=admin1,ou=People,dc=abc
dn: uid=admin7,ou=People,dc=abc
dn: uid=bil,authorizedService=serviceD,uid=admin7,ou=People,dc=abc

dn: uid=coadmin5,ou=People,dc=abc
dn: uid=johndoe,authorizedService=serviceA,uid=coadmin5,ou=People,dc=abc

dn: uid=coadmin6,ou=People,dc=abc

dn: cn=admins,dc=abc
memberUid: admin1
- ---[ accounts and groups end   ]-------------------------------------------

group objects memberUid attribute value contains uid of the "root"
objects

- ---[ group structure start ]-------------------------------------------
dn: cn=coadmins,ou=group,dc=abc
memberUid: coadmin5
memberUid: coadmin6
- ---[ group structure end   ]-------------------------------------------


here is the ACL I managed to work as I want:

- ---[ quotation start ]-------------------------------------------
access to dn.subtree="dc=abc" attrs=userPassword
        by set="[cn=admin,ou=group,dc=abc]/memberUid & user/uid" manage
        by set.exact="this/-2 & user" write
        by self write
        by anonymous auth
        by * break
- ---[ quotation end   ]-------------------------------------------

this allows admins to manage passwords of anybody and for all other
users manage passwords of self "root" account and service accounts (look
structure of account objects above)


and now, I had a hope to do the same to get possibility for coadmins to manage
passwords of anybody except admins, and here what I thought about:

- ---[ quotation start ]-------------------------------------------
access to dn.subtree="dc=abc" attrs=userPassword
        by set="[cn=admin,ou=group,dc=abc]/memberUid & user/uid" manage
        by set="(([cn=admin,ou=group,dc=abc]/memberUid & this/uid) | ([cn=admin,ou=group,dc=abc]/memberUid & [this/-2]/uid)) & ([cn=coadmin,ou=group,dc=abc]/memberUid & user/uid)" disclose
        by set="[cn=coadmin,ou=group,dc=abc]/memberUid & user/uid" manage
        by set.exact="this/-2 & user" write
        by self write
        by anonymous auth
        by * break
- ---[ quotation end   ]-------------------------------------------

and it doesn't work


the initial idea of the second `by set=' row is:
for coadmins to disallow all access to userPassword if account belongs to admin 

am I right to expect:

1.1. "[cn=admin,ou=group,dc=abc]/memberUid & this/uid" 
     is true if uid of current record is member of the group `admin'

     when `this' is the very "root" account (uid=admin7,ou=People,dc=abc)

1.2. "[cn=admin,ou=group,dc=abc]/memberUid & [this/-2]/uid"
     uid of the "root" account (uid=admin7,ou=People,dc=abc) is admin group member

     when `this' is service account like:
     uid=bil,authorizedService=serviceD,uid=admin7,ou=People,dc=abc
     `this/-2' trimms it to `uid=admin7,ou=People,dc=abc' and `/uid' have to provide uid value

1.3. "[cn=coadmin,ou=group,dc=abc]/memberUid & user/uid"
     true if currently loggedin user uid is coadmin group member


so ... was I successfull to explain what I want? :)

- -- 
Zeus V. Panchenko				jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC					  GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlhFk1kACgkQr3jpPg/3oyp7XgCggcp9Y909JRQOknE7GkgjmZpw
/sYAoIyimb3gcy38qZAjlyHfbF+rH63a
=aqts
-----END PGP SIGNATURE-----